search

cisco / mercury

Mercury: network metadata capture and analysis
Other
430 stars 75 forks source link

Please support "Linux Netfilter NFLOG" #17

Open NeptuneNeptune opened 2 years ago

NeptuneNeptune commented 2 years ago

I captured packets through following codes on Android devices ` iptables -A OUTPUT -p udp --dport 53 -j CONNMARK --set-mark ${userId}

iptables -A OUTPUT -m owner --uid-owner ${userId} -j CONNMARK --set-mark ${userId}

iptables -A INPUT -m connmark --mark ${userId} -j NFLOG --nflog-group ${userId}

iptables -A OUTPUT -m connmark --mark ${userId} -j NFLOG --nflog-group ${userId}

nohup tcpdump -i nflog:${userId} -w ${pcapPath} > /dev/null 2>&1 & ` but I cannot analyse this pcap, because the packet wrapped by "Linux Netfilter NFLOG".

davidmcgrew commented 2 years ago

I think you are suggesting that mercury support the PCAP LINKTYPE for Netfilter https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html, and parse the packet payload from that LINKTYPE and apply normal packet processing to it. Is that right? Thanks!

davidmcgrew commented 2 years ago

Hi NeptuneNeptune, mercury recently added support for multiple linktypes (but not NFLOG yet). Are you still interested in this issue? Thanks!